From 56cdc81c08b1847c5c1f699810a8c3b9ac3715a6 Mon Sep 17 00:00:00 2001
From: Jose and Yehuda <wycats@gmail.com>
Date: Tue, 24 Apr 2012 22:32:09 -0500
Subject: Remove default match without specified method

In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.

In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.

This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.

Closes #5964
---
 railties/lib/rails/application/finisher.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'railties/lib/rails/application')

diff --git a/railties/lib/rails/application/finisher.rb b/railties/lib/rails/application/finisher.rb
index 7da495211d..002c6026e4 100644
--- a/railties/lib/rails/application/finisher.rb
+++ b/railties/lib/rails/application/finisher.rb
@@ -22,7 +22,7 @@ module Rails
       initializer :add_builtin_route do |app|
         if Rails.env.development?
           app.routes.append do
-            match '/rails/info/properties' => "rails/info#properties"
+            get '/rails/info/properties' => "rails/info#properties"
           end
         end
       end
-- 
cgit v1.2.3